Last Update: April 26, 2023

zenloop Data Processing Agreement (DPA)

Agreement relating to the performance of commissioned data processing services pursuant to Article 28 GDPR

This data processing agreement is between

You

– Customer –

and

SaaS.group zenloop GmbH
Attilastraße 18
12529 Schönefeld

– Data Processor –

§ 1 Preamble, Subject-Matter and Order of Precedence

(1) General. This agreement (the “Data Processing Agreement”) forms part of the agreement between you and zenloop relating to the provision of our Services (the “Contract”).

(2) Subject matter of Agreement. This Data Processing Agreement describes how zenloop will Process Survey Recipient Data that you provide to us in connection with your use of our Services, in accordance with the requirements of Data Protection Laws.

(3) Conflicts. In case of any conflict, the provisions of this Data Processing Agreement shall take precedence over the provisions of the past or future non-disclosure agreements and other agreements concluded between the parties.

§ 2 Definitions

Throughout this Data Processing Agreement, we may use certain words or phrases, and it is important that you understand the meaning of them. The list is not all-encompassing and no definition should be considered binding to the point that it renders this Data Processing Agreement nonsensical:

(1) “Customer” or “you” refers to you, the person who is entering into the Contract (including this Data Processing Agreement) with zenloop; If you use our Services on behalf of an organization, you agree to these terms on behalf of that organization and you represent that you have the authority to do so. In such cases, “Customer” or “you” will refer to that organization.

(2) “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the processing of personal data (including in connection with providing telecommunication services and conducting email marketing), and including, without limitation, the GDPR, the German Act Against Unfair Competition (UWG), the German Telecommunications Act (TKG) and the German Telemedia Act (TMG).

(3) “GDPR” means the General Data Protection Regulation.

(4) “Individual Contract” means the Purchase Order, the letter of agreement, the agreement on SaaS-based Services, the SaaS contract or other type of the agreement concluded between the Customer and zenloop for the provision of SaaS Services and/or Additional Services.

(5) “Process” or “Processing” means any operation or set of operations which is performed by zenloop as part of the Services upon Survey Recipient Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

(6) “Services” means the services that we provide through our Site, including our customer insight and loyalty services.

(7) “Site” means our website, www.zenloop.com, as well as the associated platform.

(8) “Subprocessor” means a third party subcontractor engaged by zenloop which, as part of the subcontractor’s role of delivering the Services, will Process Survey Recipient Data.

(9) “Survey Recipient” means any identified or identifiable natural person who is a customer, employee or business contact of yours and who has been or will be contacted by you through our Site.

(10) “Survey Recipient Data” means any personal information relating to a Survey Recipient that you or any of your Survey Recipients provide to zenloop in connection with your use of the Services. Survey Recipient Data also include all information and data of online ratings retrieved by the Customer from online platforms of other providers via zenloop’s software-as-a-service platform using zenloop Online Reputation Management Services.

(11) “Contract” is the Individual Contract, the zenloop Terms of Services and this Data Processing Agreement.

(12) “Special Categories of Personal Data” means data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation (cf. Art. 9(1) GDPR).

Other terms have the definitions provided for them in the Agreement or as otherwise specified below.

§ 3 Scope, Duration, Type of Survey Recipient Data and Categories of Data Subjects

(1) General Scope. Under the terms of this Data Processing Agreement, zenloop will Process Survey Recipient Data on behalf of Customer in accordance with article 28 GDPR.

(2) Duration. This Data Processing Agreement shall be effective for the duration of zenloop’s Services under the Contact, and shall terminate automatically upon expiration or termination of the Contractfor any reason.

(3) Scope, Nature and Purpose of Processing. The scope of the Processing of Survey Recipient Data is the recording of customer satisfaction surveys and evaluations of customer’s products and services. The nature of the Processing shall be as defined in the Individual Contract, our Terms of Services and Privacy Policy. The purpose of the Data Processing is the process optimization at the customer.

(4) Types of Data. Processing may include the following types/categories of Survey Recipient Data: personal information including name or email address, IP address, usage data, device data, referral data and information from cookie and page tags.

(5) Categories of Data Subjects. The persons concerned by the Processing hereunder are assigned to the following categories: (i) customers of Customer; (ii) employees of Customer; and (iii) business contacts of Customer; in each case (i) through (iii) above, to the extent such customer, employee or business contact has been or will be contacted by you through our Site.

(6) Exclusion of Processing of Special Categories of Personal Data. The processing of special categories of personal data is excluded.

§ 4 Customer Instructions

(1) Processing Instructions. During our Services, you may provide instructions to us in addition to those specified in this Data Processing Agreement with regard to the processing of Survey Recipient Data (each such instruction hereinafter, a “Processing Instruction”) in connection with our Services. Any Processing Instruction must be in writing or in electronic form. We will process your Survey Recipient Data according to your instructions.

(2) Change requests. Any Processing Instruction that amends or deviates from the terms of this Data Processing Agreement will constitute a change request and will be subject to the requirements set forth in § 14 (1). We will negotiate in good faith with you with respect to any change in the Services and/or fees resulting from any Processing Instructions.

(3) Compliance of Processing Instructions with Data Protection Laws. You are responsible for ensuring that your Processing Instructions comply with Data Protection Laws.

(4) Notification. If we believe that a Processing Instruction infringes or violates the GDPR or other Data Protection Laws, we will immediately inform you thereof.

§ 5 Obligations and Rights of the Customer

(1) Compliance of Processing with Data Protection Laws. You are responsible for ensuring that the Processing of Survey Recipient Data hereunder complies with the requirements of Data Protection Laws, including, but not limited to, concerning (i) the transmission of Survey Recipient Data to zenloop (including providing any required notices and obtaining any required consents), (ii) the use of any Survey Recipient Data in connection with any marketing or advertising you conduct, and (iii) your decisions and actions regarding the Processing and use of the Survey Recipient Data.

(2) Customer as Controller. You will be the controller as defined in article 4 paragraph 7 GDPR. You shall have sole responsibility for the accuracy, quality, and legality of Survey Recipient Data and the means by which you have acquired Survey Recipient Data.

(3) Special Categories of Personal Data. The Controller shall refrain from using the Site or the Services for the processing of special categories of personal data.

(4) Record of Processing Activities. You will maintain a record of processing activities under your responsibility in accordance with article 30 GDPR.

(5) Notification obligation. You will, without undue delay, inform us of any defect you may detect in our Services, and of any irregularity in the implementation of statutory regulations on data privacy.

§ 6 zenloop Obligations

(1) Processing solely for provision of Services. We will Process your Survey Recipient Data only on documented instructions from you and solely for the provision of the Services in accordance with article 28 paragraph 3 a) to h) GDPR and will not otherwise (i) Process or use your Survey Recipient Data for purposes other than those set forth in the Contract including this Data Processing Agreement or (ii) disclose your Survey Recipient Data to third parties other than Subprocessors for the aforementioned purposes or as required to do so by Union or Member State law to which we are subject. In such a case, we will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

(2) Processing within and outside the EU/EEA. We will generally Process Survey Recipient Data within the territory of the Federal Republic of Germany, a Member State of the European Union or another signatory to the Agreement on the European Economic Area, or in a country with an adequate level of data protection under the decision of the European Commission. The servers for data processing are located exclusively within the area of application of the GDPR. The Processor may transfer the data to its subprocessors, which may transfer the data to affiliated companies or other subprocessors from third countries, in which case the subprocessor assures compliance with the obligations pursuant to Art. 44 et seq. GDPR.

(3) Personnel of zenloop. We will ensure that our personnel engaged in and authorized for the Processing of Survey Recipient Data are informed of the confidential nature of the Survey Recipient Data and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(4) Our data protection officer. We have appointed a data protection officer: The person may be reached by email via dpo@zenloop.com.

§ 7 Technical and Organizational Measures

(1) zenloop TOMs measures. When we Process Survey Recipient Data on your behalf, we will take all measures required pursuant to Article 32 GDPR, and have implemented and will maintain certain technical and organizational security measures for the Processing of such data, as such measures are specified in Annex 1. These measures are intended to protect Survey Recipient Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing.

(2) Changes to TOMs. All technical and organizational security measures are subject to technical progress and development. Accordingly, we may modify our security measures and/or implement alternative security measures, provided, however, that these do not fall short of the level of security as contractually agreed upon in Annex 1.

§ 8 Customer Audit Rights

(1) Customer Audits. You may, prior to the commencement of our Services and up to once per year during the performance of our Services, audit the technical and organizational measures implemented by zenloop. You may perform more frequent audits to the extent required by Data Protection Laws.

(2) Details regarding Audits. In the course of such audit, you may, in particular, conduct the following measures: (i) You may obtain all such information from zenloop that is necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement. (ii) You may, upon reasonable advance agreement, during regular business hours and without interfering with zenloop’s business operations, conduct an on-site inspection of those parts of zenloop’s business facilities where Survey Recipient Data is being processed, subject to zenloop’s then-applicable security policies.

(3) On-Site Inspections. To request an on-site inspection, you must submit an inspection plan to us at least two weeks in advance of the proposed inspection date, describing the proposed scope, duration and start date of the inspection. We will review the inspection plan and provide you with any concerns or questions (for example, any request for information that could compromise zenloop’s security, privacy, employment or other relevant policies).

(4) Report in lieu of audit. If the requested audit scope is addressed in a SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within the prior twelve months, you agree to accept those findings in lieu of requesting an audit of the systems covered by the report.

(5) Sharing of reports. You will provide us with any audit reports generated under this section, unless prohibited by law. You may use the audit reports only for the purpose of confirming that our technical and organizational measures are in compliance with the requirements of this Data Processing Agreement. The audit reports are confidential information of the parties under the terms of the Contract.

(6) Costs of audits. Any audits are at your expense. Any request for zenloop to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required for the provision of the Services. We will seek your written approval and agreement to pay any related fees before performing such audit assistance.
Assistance provided for the purposes of fulfilling requirements arising from the GDPR and the BDSG (Federal Data Protection Act) are covered by the main contract and no additional fees are charged for these services.

(7) Third party auditors. If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and zenloop and must execute a written confidentiality agreement acceptable to zenloop before conducting the audit.

§ 9 Subprocessors

(1) Subprocessors. We may engage Subprocessors to assist in the Processing of your Survey Recipient Data. By entering into this Data Processing Agreement with us, you give your prior general written authorization to our use of Subprocessors in accordance with article 28 paragraph 2 GDPR. A list of Subprocessor is provided in annex 2. Where we intend to add or replace a Subprocessor, we will inform you of such intended change, thereby giving you the opportunity to object to such change if there are reasonable concerns with regards to the appropriate protection of personal data. If you don’t object within two weeks from our notification regarding the change of a Subprocessor, it has the same effect as a consent. If you object to a change zenloop reserves the right to terminate the contractual relationship with you extraordinarily with a notice of two weeks.

(2) Our agreements with Subprocessors. We will ensure that all of our Subprocessors are required to abide by substantially the same obligations as zenloop under this Data Processing Agreement as applicable to their performance of the Services. This shall apply in particular, but not be limited to, the requirements in § 4,§ 7,§ 8, and § 10 to § 13. zenloop remains responsible at all times for compliance with the terms of this Data Processing Agreement by all Subprocessors engaged in the performance of our Services to you.

(3) As far as we work with freelancers, who have access to your personal data, we ensure that we only collaborate with freelancers providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Processing by a freelancer is governed by a data processing agreement which ensures the same data protection standard you and we agreed on. We will provide a list of the freelancers upon request.

(4) Copies of relevant terms. You are entitled, upon written request, to receive copies of the relevant terms of zenloop’s agreement with each Subprocessor that Processes your Survey Recipient Data, unless the agreement contains confidential information, in which case zenloop may provide a redacted version of the agreement.

(5) Ancillary Services. This § 9 shall not apply where we engage third parties for ancillary services; these include, but are not limited to, telecommunications services, mail and shipping services, building security services, facility management services, and services relating to the cleaning or disposal of data media.

§ 10 Rights of Data Subjects

(1) Pass-through of Data Subject requests. When a Data Subject requests us to correct, delete or block Survey Recipient Data, we will pass on such request to you. zenloop will not respond to any requests of Data Subjects without your prior written consent.

(2) Assistance. Where a Data Subject requests you to correct, delete or block Survey Recipient Data or to provide information about the collection, processing or use of Survey Recipient Data in connection with our Services, as well as in the cases of Art. 18, 20 and 21 GDPR, and you are unable to fulfill the request by yourself through our Site, we will support you in responding to the request and in fulfilling the request by appropriate technical and organisational measures, insofar as this is possible, provided that (i) you instruct us to do so in writing or in text form and (ii) you reimburse us for the cost and expenses incurred in providing such support.
Assistance provided for the purposes of fulfilling requirements arising from the GDPR and the BDSG (Federal Data Protection Act) are covered by the main contract and no additional fees are charged for these services.

§ 11 Deletion of Data

(1) No copies or duplicates. We will not create copies or duplicates of your Survey Recipient Data without your prior knowledge. Notwithstanding the preceding sentence, we may (i) create backup copies and replications of our databases, to the extent that this is necessary to ensure the proper Processing of Survey Recipient Data, the functionality of our platform and product development (ii) prepare and retain copies of Survey Recipient Data where required by us to comply with any statutory retention and storage obligations.

(2) Deletion of data. Upon cancellation of your account, or at any prior time upon your written request, we will delete all copies of your Survey Recipient Data from our systems within one month. We are not liable for any loss or damage following, or as a result of, such deletion, and it is your responsibility to ensure that any Survey Recipient Data which you require is backed-up or replicated before deletion.

(3) Continued use for legal obligations. Notwithstanding the above, we will retain only those Survey Recipient Data which are required to comply with our legal obligations, resolve disputes, and enforce our agreements.

§ 12 Service Analyses and Data Anonymization

(1) Service Analyses. We may compile statistical and other information related to the performance, operation and use of our Services. Service Analyses will not incorporate Customer’s Survey Recipient Data in a form that could identify or serve to identify any Survey Recipient.

(2) Data Anonymization. As indicated in §11(1), we may create backup copies and replications of our databases. zenloop shall also have a right to anonymize the Survey Recipient Data in such backups and replications and perform the processing steps necessary for such anonymization. The original dataset shall not be affected by anonymization.

(3) Anonymized or aggregated data are no longer considered personal data. While maintaining anonymity, zenloop may use all data created for its own purposes, such as statistical analyses, industry comparisons, benchmarking, research and development and other purposes. zenloop shall be entitled to use and retain such data for its own purposes beyond the end of the Contract.

§ 13 Duties to Notify and Further Support

(1) Notification of (governmental) searches and seizures. We will, without undue delay, inform you if your Survey Recipient Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in our control. In such event, we will inform all pertinent parties in such action, that any data affected thereby is in your sole property and area of responsibility, that data is at your sole disposition, and that you are the responsible body in the sense of the GDPR.

(2) Notification of incidents and breaches. We will, without undue delay, inform you if we determine that (i) your Survey Recipient Data has been subject to a security incident (internal or external) or (ii) there has been a breach by zenloop (internal or external) of Data Protection Laws applicable to the performance of our Services to you or of any or any of the provisions set forth in this Data Processing Agreement. In such event, we will promptly investigate the security incident or breach and take reasonable measures to identify its root cause and prevent a recurrence.

(3) Assistance. In the event that, due to the security incident or breach, you are required to fulfill any disclosure obligations in accordance with article 33 GDPR, we will support you fulfilling such obligations, provided that (i) you instruct us to do so in writing or in text form and (ii) you reimburse us for our reasonable and documented cost and expenses incurred in providing such support. Assistance provided for the purposes of fulfilling requirements arising from the GDPR and the BDSG (Federal Data Protection Act) are covered by the main contract and no additional fees are charged for these services.

(4) Further Support. In addition to our assistance obligations above, we will assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to us, provided that (i) you instruct us to do so in writing or in text form and (ii) you reimburse us for our reasonable and documented cost and expenses incurred in providing such support.

§ 14 Changes

(1) Changes to these terms. zenloop may change these terms at any time for a variety of reasons, such as to reflect changes in applicable law, to reflect updates to our Services or the technical and/or organizational measures we employ, and to account for new Services or functionalities.

(2) Notification of changes. Typically, we will not notify you in advance when we modify or update the terms of this Data Processing Agreement. However, when you first log in to our Site after such modification or update, we will notify you of the change by electronic means. If you continue to use our Services following such notice, you consent to any such amendment or modification, unless zenloop receives a timely objection from you.

(3) Current version. Amendments to these terms will be effective immediately when posted on our Site. You are responsible for ensuring familiarity with the latest terms of our Data Processing Agreement. You can always find the most current version of our terms at www.zenloop.com/de/legal/data-processing.

§15 Miscellaneous

(1) Severability. Where individual provisions of this Data Processing Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Data Processing Agreement shall not be affected.

(2) Governing law and venue. This Data Processing Agreement is subject to German law. Any disputes arising out of or in connection with this Data Processing Agreement shall be exclusively submitted to the courts of Berlin.

Note: This Data Processing Agreement is effective without signature by concluding an Individual Contract with zenloop. However, for the purpose of easier verification, we recommend that the customer print out the Contract and attach it to their own documents.

 

Customer

Name:

Title:

Date:

Signature:

 

zenloop

Name:

Title:

Date:

Signature:

 

Annex 1

Technical and organizational measures to ensure the security of processing

1. Measures to ensure confidentiality

1.1. Physical access control

Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data storage media. Description of physical access control:

  • Safety locks on doors 
  • Careful selection of cleaning staff 
  • Admission management: authorized personnel and scope of authorization are pre-defined 
  • Careful selection of security staff 
  • Further measures by service provider

zenloop does not own a data center. All our servers and hosting equipment are rented as service from Amazon AWS (Amazon Web Services EMEA SARL, Luxembourg).

1.2. Logical access control

Measures to prevent unauthorized persons from processing or using data which is protected by data privacy laws. Description of logical access control system: 

  • Limitation of the number of authorized employees 
  • Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change) 
  • User rights are granted restrictively 
  • Role-Based Access Control (RBAC)
  • All log-ons / log-offs are recorded 
  • Use of central password policy

1.3. Data access control

Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage. Description of data access control: 

  • Limitation of the number of authorized employees 
  • Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change) 
  • All data access is logged automatically 
  • Small number of system administrators 
  • Records and log files are analyzed regularly
  • 4-eye principle when dealing with access to production data

1.4. Separation rule

Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes. Description of the separation control process: 

  • Systems allow for data segregation (multi-tenancy), data is segregated by software 
  • Productive systems and test systems are separated from each other 
  • Data sets can be accessed only through those applications which have been pre-defined
  • Database user rights are issued and managed centrally
  • 4-eye principle when dealing with access to production data

1.5. Pseudonymization measures

Measures that reduce direct references to persons during processing in such a way that it is only possible to associate data with a specific person if additional information is included. The additional information must be kept separately from the pseudonym by appropriate technical and organizational measures. Description of the pseudonymization:

  • none due to work on a central server system

2. Measures to ensure integrity

2.1. Transmission and transport control

Measures to ensure that the confidentiality and integrity of data is protected during transmission of personal data and transport of data carriers. Furthermore measures to ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted or made available using data communication equipment. Description of the transmission and transport control: 

  • HTTPS
  • VPN 
  • Unnecessary printouts are terminated 
  • No use of physical data carriers 
  • Comprehensive logging procedures 
  • No use of private data carriers at work

2.2. Input control

Measures to ensure that it can be subsequently verified and ascertained whether and by whom personal data have been entered or modified in data processing systems. Description of the input control process:

  • Logging of all system activities and keeping of these logs for at least six months 
  • Use of central rights management for entering, altering and deleting data

3. Measures to ensure availability and resilience

3.1. Availability control

Measures to ensure that personal data are protected against accidental destruction or loss. Description of the availability control system: 

  • Backups are taken on a regular basis 
  • Backup and recovery plan is in place 
  • Data backup files are stored at a safe and remote location, diverse additional measures taken by suppliers 
  • Localisation 
  • Additionally diverse measure of server service providers

3.2. Quick recovery

Measures to ensure the ability to quickly restore the availability of and access to personal data and used systems in the event of a physical or technical incident. Description of the measures for quick recovery:

  • Data backup procedure
  • Code backup and restore procedure
  • Infrastructure as a Code for fast recreation

4. Measures for the regular testing and evaluation of the security of data processing

Measures to ensure that the data are processed securely and in compliance with data protection regulation. Measures to ensure that personal data processed on behalf of the Controller can only be processed in accordance with the instructions of the Controller. Description of the order control measures:

  • Involvement of external data protection officers for all data protection-related questions 
  • Formalized processes for data privacy incidents

Annex 2

Subprocessors pursuant to Data Processing Agreement

The Processor currently works with the following subcontractors and the Controller hereby agrees to their appointment.

1. Amazon Web Services 

Company: Amazon Web Services EMEA SARL (“AWS”), country of registration: Luxembourg
Data processing activities: Data center
Data location: Ireland and Frankfurt zone

2. ElasticSearch 

Company: Elasticsearch B.V., country of registration: The Netherlands
Data processing activities: Search engine, indexing, search criteria.
Data location: Ireland

3. Google Cloud Platform 

Company: Google Cloud EMEA Limited, country of registration: Ireland
Data processing activities: Data center
Data location: Frankfurt, Germany